HAL Id: hal-00516893https://hal.archives-ouvertes.fr/hal-00516893

Submitted on 13 Sep 2010

HAL is a multi-disciplinary open accessarchive for the deposit and dissemination of sci-entific research documents, whether they are pub-lished or not. The documents may come fromteaching and research institutions in France orabroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, estdestinée au dépôt et à la diffusion de documentsscientifiques de niveau recherche, publiés ou non,émanant des établissements d’enseignement et derecherche français ou étrangers, des laboratoirespublics ou privés.

Analytical Calculation of Failure Probabilities inDynamic Fault Trees including Spare Gates

Guillaume Merle, Jean-Marc Roussel, Jean-Jacques Lesage, Nicolas Vayatis

To cite this version:Guillaume Merle, Jean-Marc Roussel, Jean-Jacques Lesage, Nicolas Vayatis. Analytical Calculation ofFailure Probabilities in Dynamic Fault Trees including Spare Gates. European Safety and ReliabilityConference (ESREL 2010), Sep 2010, Rhodes, Greece. pp. 794-801. �hal-00516893�

Analytical Calculation of Failure Probabilities in Dynamic Fault Treesincluding Spare Gates

Guillaume Merle, Jean-Marc Roussel, and Jean-Jacques LesageLURPA, ENS de Cachan, Cachan, FranceNicolas VayatisCMLA, ENS de Cachan, Cachan, France

This paper focuses on one of the dynamic gates which are used in Dynamic Fault Trees (DFT): the Spare gate.We provide an algebraic model which allows to determine the structure function of DFTs with Spare gatesfrom which qualitative analysis can be performed directly. We also provide a probabilistic model allowingto determine the failure probability of Spare gates without any restriction on the failure distribution for basicevents.

1 INTRODUCTIONFault Tree Analysis (FTA) is one of the oldest, mostdiffused techniques in industrial applications, for thedependability analysis of large safety-critical systems(Henley and Kumamoto 1981; Leveson 1995; Sta-matelatos and Vesely 2002). When the interactionsbetween events can be described by means of booleanOR/AND gates only, so that only the combinationof events is relevant, and not their sequence, FaultTrees are called Static Fault Tree (SFT). Dugan etal. (Dugan, Bavuso, and Boyd 1990; Dugan, Sullivan,and Coppit 2000) proposed a new model allowing toinclude various kinds of temporal and statistical de-pendencies in the SFT model, which is the DynamicFault Tree (DFT). The DFT is based on the definitionof new gates: Priority-AND (PAND), Functional De-pendency (FDEP), Warm Spare (WSP), and SequenceEnforcing (SEQ).

The first dynamic gate, gate Priority-AND, was in-troduced in 1976 (Fussel, Aber, and Rahl 1976) tomodel sequences of failures. Then, gate FDEP wasintroduced in 1990 (Dugan, Bavuso, and Boyd 1990)to model common cause failures, and the Spare gatewas finally introduced in 2002 (Coppit and Sullivan2002) to model redundancies.

Even though such dynamic gates allow to modelfailure scenarios that SFTs cannot handle, the analy-tical techniques commonly used to analyze SFTs can-not be used to analyze DFTs, and other types of tech-niques, mainly based on state models, must be used.

As stated in (Merle, Roussel, Lesage, and Bob-

bio 2010), gates PAND and FDEP have sequential orpreemption-based behaviors and can easily be mod-eled by means of discrete mathematics. However, theSpare gate is more complex since statistically depen-dent on the failure order of events and its probabilityof occurrence is not completely defined by an orderrelation.

Many compositional techniques have been envis-aged to analyze DFTs with Spare gates, either interms of Stochastic Petri Nets (Bobbio and Raiteri2004; Raiteri 2005), or in terms of Input/OutputInteractive Markov Chains (Boudali, Crouzen, andStoelinga 2007). In (Dutuit and Rauzy 1996), thequantitative analysis of the DFT consists in explod-ing minimal subtrees containing dynamic gates intotheir state-space representation, and computing nu-merically the related occurrence probability by meansof a Continuous Time Markov Chain (Dugan, Bavuso,and Boyd 1992; Gulati and Dugan 1997), thus assum-ing exponential time-to-failure distributions. Anotherapproach, based on Temporal Bayesian Networks, isintroduced in (Boudali and Dugan 2005) and allows toinclude any probability distribution. In (Amari, Dill,and Howals 2003), closed form expressions are deter-mined as a function of the generic probability distri-butions of the basic events, and a numerical integra-tion is proposed to solve them. In any case, the solu-tion of a DFT forces a quantitative analysis. A com-mon obstacle in any quantitative technique is the lackof accurate, reliable data on the failure distribution ofthe components. To overcome this well-known defi-

1

ciency, the qualitative analysis is often the only valu-able information on the system dependability. Nev-ertheless, the qualitative analysis of DFTs has neverbeen fully considered in the literature, and the conceptof minimal cut set needs to be revisited to account forthe possible order of the failure events. The authorsof (Tang and Dugan 2004) propose to decompose thequalitative analysis into a logical (Boolean) part, andinto a timing part. Dynamic gates are replaced withthe static gates which correspond to their logical con-straints, the minimal cut sets of the resulting SFT arethen generated, and each minimal cut set is expandedto minimal cut sequences by considering timing con-straints. However, the procedure is not completely de-veloped.

In previous papers, we presented an algebraicframework allowing to determine the structure func-tion of DFTs with PAND gates (Merle and Roussel2007) and FDEP gates (Merle, Roussel, Lesage, andBobbio 2009; Merle, Roussel, Lesage, and Bobbio2010). We also detailed how to perform the quantita-tive analysis of such DFTs from their structure func-tion. In this paper, we recall the basics of this alge-braic framework and we extend the previous resultsto the case of Spare gates.

The algebraic framework that we introduce tomodel Spare gates is presented in Section 2. The al-gebraic model of Spare gates is introduced in Section3, and the probabilistic model which can be deducedfrom it is given in Section 4. Finally, a DFT exampleallows to highlight the usefulness of both models forthe qualitative and quantitative analysis in Section 5.

2 BASICS AND NOTATIONS OF THE ALGE-BRAIC FRAMEWORK

This algebraic framework was described in (Merle,Roussel, Lesage, and Bobbio 2010) and has been pro-posed to render the order of occurrence of eventswhich is necessary for the modeling of dynamic gates.It will not be detailed here, and only the basics andnotations needed to understand the remainder of thispaper will be explained. To take into account the tem-poral aspect of events, we consider the top event, theintermediate events, and the basic events as tempo-ral functions which are defined on the set of positivetimes and take Boolean values. As we consider non-repairable events only, a generic timing diagram of anevent a is given in Fig. 1, where d(a) is the uniquedate of occurrence of a. The never-occurring event isdenoted by ⊥.

6-0

1t����a

d(a)

Figure 1: A non-repairable event.

This algebraic framework does not need to ex-

plicitly take time into account, since we only needto know the order in which events occur to modeldynamic gates. We then defined three temporal op-erators to model dynamic gates, which are opera-tors non-inclusive BEFORE (noted �), SIMULTA-NEOUS (noted 4), and Inclusive BEFORE (noted�). Thus, for instance, the algebraic model of thePAND gate in Fig. 2 becomes

Q = (A ·B) · (A�B),

which expresses that the output Q of the gate fails ifA and B fail and if A fails before or at the same timeas B.

Figure 2: A PAND gate

As the non-inclusive BEFORE operator is suffi-cient to model Spare gates, it is the only temporal op-erator that will be retained in the remainder of this pa-per. Furthermore, we have demonstrated that this al-gebraic framework allows to determine the structurefunction of SFTs as it is commonly done by usingthe classical Boolean algebra of Boolean variables.Besides, the definition of the three temporal opera-tors allows to determine the structure function of anyDFT with gates PAND, and FDEP, and some theo-rems which were provided allows to reduce this struc-ture function to the canonical form in (1), where TEis the Top Event of the DFT and the events bi are thebasic events of the DFT.

TE =∑(∏

bi ·∏

(bj � bk)), j /∈ {i, k} . (1)

3 ALGEBRAIC MODEL OF THE SPARE GATETwo factors impact the difficulty to model the Sparegate: the number of input events of the Spare gate,and the possibility for many Spare gate to share oneor many spare events. This section presents the alge-braic model of the Spare gate in an increasing orderof complexity. The algebraic model of a single Sparegate with 2 to n input events is presented in Sections3.1 to 3.3. The particular case of 2 Spare gates with2 input events sharing a spare event is presented inSection 3.4, and we show how to generalize it to nSpare gates with 2 input events sharing a spare eventin Section 3.5.

Besides, we consider that there is only one type ofSpare gate, which is the Warm Spare gate, and that

2

Cold and Hot Spare gates (Stamatelatos and Vesely2002) are particular cases of Warm Spare gates. Bothof them are studied in Section 3.6.

3.1 Algebraic model of a single Spare gate with 2input events

Let us consider a Spare gate with 2 input events – theprimary event A and one spare event B – as shown inFig. 3. As stated in (Stamatelatos and Vesely 2002),

Figure 3: A single Spare gate with one primary eventA and one spare event B

the output Q of the gate occurs when the primary andall spares have failed, so when A and B have failed,in this case. A and B are basic events and cannot failsimultaneously (noted A4B =⊥) so Q will occur ifA and B fail according to sequences [A,B] or [B,A].It is important to note that in sequence [A,B], B failswhile in its active mode (denoted as Ba), whereas insequence [B,A], B fails while in its dormant mode(denoted asBd). It is essential to distinguish both fail-ure modes by using two different variables, for quan-titative analysis purposes. Indeed, B does not havethe same failure distribution when it fails during itsdormant mode (B ≡ Bd) or during its active mode(B ≡ Ba). As we aim at making possible the quanti-tative analysis of DFTs from their structure function,this structure function must hence provide sufficientinformation to know whether spare events are in theirdormant or active mode. The algebraic behavior ofgate Spare can hence be expressed as

Q = Ba · (A�Ba) +A · (Bd �A).

which expresses that the output Q of the gate fails ifA fails beforeB –Ba · (A�Ba),B hence being in itsactive modeBa – or ifB fails beforeA –A · (Bd�A),B hence being in its dormant mode Bd.

Furthermore, as B cannot be both in an active stateand in a dormant state, we have

Bd ·Ba = ⊥.

3.2 Algebraic model of a single Spare gate with 3input events

Let us consider a Spare gate with 3 input events – theprimary event A and two spare events B and C – asshown in Fig. 4.

Figure 4: A single Spare gate with one primary eventA and two spare events B and C

As stated in (Stamatelatos and Vesely 2002), theoutput Q of the gate occurs when the primary and allspares have failed, so when A, B, and C have failed.A, B, and C are basic events and cannot fail simulta-neously so Q will occur if A, B, and C fail accordingto sequences [A,B,C], [A,C,B], [B,A,C], [B,C,A],[C,A,B], or [C,B,A]. It is important to note that,when the quantitative analysis will be performed fromthe structure function,B andC will not have the samedistribution function in the 6 sequences. For instance,in sequence [A,B,C], both B and C fail during theiractive mode (denoted by Ba and Ca), whereas in se-quence [B,C,A], both B and C fail during their dor-mant mode (denoted by Bd and Cd). The algebraicbehavior of gate Spare can hence be expressed as

Q = Ca · (A�Ba) · (Ba �Ca)

+Ba · (A�Cd) · (Cd �Ba)

+Ca · (Bd �A) · (A�Ca)

+A · (Bd �Cd) · (Cd �A)

+Ba · (Cd �A) · (A�Ba)

+A · (Cd �Bd) · (Bd �A)

As B and C cannot be both in an active state and in adormant state, we have{

Bd ·Ba = ⊥Cd ·Ca = ⊥

3.3 Algebraic model of a single Spare gate with ninput events

The algebraic model of a single Spare gate with ninput events can be determined in the same way. Itis just necessary to determine the n! possible failuresequences of the input events of the Spare gate anddenote the dormant and active mode of the (n − 1)spare events in these failure sequences. The algebraicmodel of the Spare gate will then be the algebraic sumof the expressions for which each failure sequencesholds, with the additional condition that each spare

3

event cannot be both in an active and in a dormantmode.

3.4 Algebraic model of 2 Spare gates with 2 inputevents sharing a spare event

Let us consider 2 Spare gates with 2 input events –with primary events A and B – sharing a spare eventC, as shown in Fig. 5.

Figure 5: Two Spare gates sharing a spare event C

If we focus on the Spare gate on the left side, Q1occurs as soon as A and C have failed – as stated inSection 3.1 – or if A fails and C is made unavailablebecause B has failed before A. As a consequence, thealgebraic model of the first Spare gate is

{Q1 = Ca · (A�Ca) +A · (Cd �A) +A · (B �A)Cd ·Ca = ⊥

The algebraic expression for Q2 can be determinedin the same way by symmetry. Consequently, the finalalgebraic model of any of two Spare gates sharing aspare event is

{Q1 = Ca · (A�Ca) +A · (Cd �A) +A · (B �A)Q2 = Ca · (B �Ca) +B · (Cd �B) +B · (A�B)Cd ·Ca = ⊥

3.5 Algebraic model of n Spare gates with 2 inputevents sharing a spare event

Let us consider n Spare gates with 1 output event Qi

and 2 input events: a primary event Pi – i∈ {1, · · · , n}– and a spare event S.

If we focus on the first Spare gate, Q1 will occuras soon as P1 and S have failed – as stated in Sec-tion 3.1 – or if P1 fails and S is made unavailablebecause the primary event of any of the other Sparegates has failed before P1. As a consequence, the al-gebraic model of the first Spare gate is Q1 = Sa · (P1 � Sa) + P1 · (Sd � P1)

+∑

i 6=1P1 · (Pi � P1)Sd · Sa = ⊥

The algebraic expression forQi, i ∈ {1, . . . , n}, canbe determined in the same way by symmetry. Conse-quently, the final algebraic model of any of n Sparegates sharing a spare event is Qi = Sa · (Pi � Sa) + Pi · (Sd � Pi)

+∑

j 6=iPi · (Pj � Pi)Sd · Sa = ⊥

3.6 Specific case of Cold and Hot Spare gatesThe algebraic models presented in Sections 3.1 to 3.5are the algebraic models of Spare gates in the generalcase of Warm Spare events. These algebraic modelscan be simplified in the specific cases of Cold and HotSpare events:• if a spare event S is a Cold Spare event, it cannot

fail while in a dormant state, so Sd will neveroccur and any expression containing Sd in thealgebraic models can be removed;

• if a spare event S is a Hot Spare event, it willhave the same distribution function when in anactive and in a dormant state, so Sa ≡ Sd ≡ Sand the algebraic models can be simplified.

It can be noted that the algebraic models definedinvolve the temporal operator which is used to modelgates PAND and FDEP, so the expression (1) stillholds in the case of a DFT with Spare gates, and thestructure function of any DFT can be determined andreduced to the canonical form in (1) as well.

4 PROBABILISTIC MODEL OF THE SPAREGATE

The probabilistic model of the Spare gates can be de-duced from their algebraic model presented in Section3 by determining the failure probability of each failuresequence thanks to the standard inclusion-exclusionformula (Trivedi 2001) and the following expressions(Amari, Dill, and Howals 2003; Fussel, Aber, andRahl 1976), which hold under the hypothesis of sta-tistical independence:

Pr {a · b} (t) = Fa(t)× Fb(t)

Pr {a+ b} (t) = Fa(t) + Fb(t) − Fa(t)× Fb(t)

Pr {a� b} (t) =

∫ t

0

fa(u)(1− Fb(u))du

Pr {b · (a� b)} (t) =

∫ t

0

fb(u)Fa(u)du (2)

The probabilistic model of a single Spare gate with2 input events is presented in Section 4.1 whereasthe probabilistic model of 2 Spare gates with 2 inputevents sharing a spare event is presented in Section4.2.

4

4.1 Probabilistic model of a single Spare gate with2 input events

According to Section 3.1, the algebraic model of asingle Spare gate with 2 input events is

Q = Ba · (A�Ba) +A · (Bd �A).

On the one hand, the cumulative distribution func-tion (Cdf) and probability density function (pdf) ofBd

do not depend on A, so Pr {A · (Bd �A)} (t) can bedetermined by means of the expressions (2) as

Pr {A · (Bd �A)} (t) =

∫ t

0

fA(u)FBd(u)du

On the other hand, the Cdf and pdf ofBa depend onthe failure date of A, so Pr {Ba · (A�Ba)} (t) can-not be determined by means of the expressions (2).If we respectively denote by TA and TBa the failuredates of A and Ba, Pr {Ba · (A�Ba)} (t) can be de-fined as

Pr {Ba · (A�Ba)} (t) = Pr {TA ≤ TBa ≤ t}

= E[1{TA≤TBa}1{TBa≤t}

],

where 1 is the indicator function and E is the expec-tation value such that

E [1A] = Pr {A}According to the law of total expectation (Billings-

ley 1995), ifX is an integrable random variable and ifY is any random variable, not necessarily integrable,on the same probability space, then

E [X] = E [E [X|Y ]]

As a consequence,

Pr {Ba · (A�Ba)} (t)

=

∫ t

0

(∫ t

v

fTB |TA(u|TA = v)du

)fTA(v)dv

=

∫ t

0

(∫ t

v

fBa(u, v)du

)fA(v)dv

The probabilistic model of a single Spare gate with2 input events hence is

Pr {Q} (t) =

∫ t

0

(∫ t

v

fBa(u, v)du

)fA(v)dv

+

∫ t

0

FBd(u)fA(u)du.

The probabilistic model of a single Spare gate with3 or even n input events can be determined in the sameway from the algebraic model of Spare gates presentsin Sections 3.2 and 3.3.

4.2 Probabilistic model of 2 Spare gate with 2 inputevents sharing a spare event

According to Section 3.4, the algebraic model of theSpare gate on the left side in Fig. 5 is

Q1 = Ca · (A�Ca) +A · (Cd �A) +A · (B �A)

It can be noted that the first two terms of this ex-pression –Ca · (A�Ca) andA · (Cd�A) – do not de-pend on B while the third term – A · (B �A) – does.As a consequence, these three terms are not disjunc-tive. This expression can be converted to an equivalentform which contains only disjunctive terms by intro-ducing B in the first two terms:

Q1 = Ca · (A�B) · (B �Ca)

+B · (A�Ca) · (Ca �B)

+Ca · (A�Ca) · B̄ (3)

+B · (Cd �A) · (A�B)

+A · (Cd �A) · B̄ +A · (B �A),

Its failure probability thus is

Pr {Q1} (t) = Pr {Ca · (A�B) · (B �Ca)} (t)

+Pr {B · (A�Ca) · (Ca �B)} (t)

+Pr{Ca · (A�Ca) · B̄

}(t) (4)

+Pr {B · (Cd �A) · (A�B)} (t)

+Pr{A · (Cd �A) · B̄

}(t)

+Pr {A · (B �A)} (t)

and can hence be expressed according to the failure

5

distributions of A, B, and C as follows:

Pr {Q1} (t) =∫ t

0

(∫ t

w

(∫ u

w

fB(v)dv

)fCa(u,w)du

)fA(w)dw

+

∫ t

0

(∫ u

0

(∫ u

v

fCa(w,v)dw

)fA(v)dv

)fB(u)du

+(1− FB(t))

∫ t

0

(∫ t

v

fCa(u, v)du

)fA(v)dv

+

∫ t

0

(∫ u

0

fA(v)FCd(v)dv

)fB(u)du

+(1− FB(t))

∫ t

0

fA(u)FCd(u)du

+

∫ t

0

fA(u)FB(u)du

The failure probability of Q2 can be determined inthe same way, by symmetry. The probabilistic modelof n Spare gate with 2 input events sharing a commonevent can be determined in the same way from thealgebraic model in Section 3.5.

5 APPLICATION TO A DFT EXAMPLEWe propose to determine the failure probability ofthe Spare gates of a DFT example from (Boudali andDugan 2005) which is depicted in Fig. 6.

This DFT models the failure of a cardiac assist sys-tem (HCAS) which is divided into 4 modules: Trig-ger, CPU unit, motor section, and pumps. The Trig-ger consists of a crossbar switch (CS) and a systemsupervision (SS). The failure of either CS or SS trig-gers the failure of both CPUs. The CPU unit is a warmspare, which has a primary P and a spare unit B hav-ing a dormancy of 0.5. For the motor section to func-tion, either MOTOR or MOTORC need to be work-ing. The pumps unit is comprised of two cold spares,each having a primary pump (PUMP 1 and PUMP 2),and sharing a common spare pump (Backup PUMP).In order for the pumps unit to fail, all three pumpsneed to fail and CSP 1 needs to fail before (or at thesame time as) CSP 2, i.e. PAND gate.

This DFT can be divided into 3 subtrees:

• subtree 1, which corresponds to the failure of theCPU unit: this subtree contains one OR gate, oneFDEP gate, and one Warm Spare gate, and ishence dynamic;

• subtree 2, which corresponds to the failure ofthe motor section: this subtree contains a singleAND gate and is hence static;

• subtree 3, which corresponds to the failure of thepumps unit: this subtree contains one PAND gateand two Cold Spare gates, and is hence dynamic.

The failure probability of the two Spare gates ofsubtree 3 can be determined thanks to the probabilis-tic model of Section 4.2:

Pr {CSP1} (t) =∫ t

0

(∫ t

w

(∫ u

w

fP2(v)dv

)fBPa(u,w)du

)fP1(w)dw

+

∫ t

0

(∫ u

0

(∫ u

v

fBPa(w,v)dw

)fP1(v)dv

)fP2(u)du

+(1− FP2(t))

∫ t

0

(∫ t

v

fBPa(u, v)du

)fP1(v)dv

+

∫ t

0

fP1(u)FP2(u)du

where CSP1 denotes the output of the Spare gateCSPGate 1, and P1, P2, and BP denote the basicevents PUMP 1, PUMP 2, and Backup PUMP ,respectively. It can be noted that, contrary to the prob-abilistic model of Section 4.2, this expression con-tains only 4 terms since BP is a cold spare eventwhich can consequently not fail while in its dormantmode.

In the same way,

Pr {CSP2} (t) =∫ t

0

(∫ t

w

(∫ u

w

fP1(v)dv

)fBPa(u,w)du

)fP2(w)dw

+

∫ t

0

(∫ u

0

(∫ u

v

fBPa(w,v)dw

)fP2(v)dv

)fP1(u)du

+(1− FP1(t))

∫ t

0

(∫ t

v

fBPa(u, v)du

)fP2(v)dv

+

∫ t

0

fP2(u)FP1(u)du

where CSP2 denotes the output of the Spare gateCSPGate 2.

In the particular case of exponential distributions,

6

Figure 6: The HCAS Dynamic Fault Tree from (Boudali and Dugan 2005)

FP1(t) = 1− e−λP1t

FP2(t) = 1− e−λP2t

FBPd(t) = 0FBPa(t,min(tP1, tP2)) = 1− e−λBP (t−min(tP1,tP2))

If we consider failure rates λP1 = λP2 = λBP =2.5× 10−3 for P1, P2, andBP , we get a failure prob-ability of 0.84 at mission time T = 1,000 hours forboth Spare gates. This result is the same as the resultobtained thanks to the tool Galileo (Dugan, Sullivan,and Coppit 2000). It can be noted that the failure prob-ability of the Top Event of the DFT in Fig. 6 could bedetermined as well, thanks to the theorems and theprobabilistic models of gates PAND and FDEP pre-sented in (Merle, Roussel, Lesage, and Bobbio 2010).

However, a Weibull distribution would be moresuitable to model the failure behavior – and the aging– of pumps, but such a distribution could not be han-dled by Continuous-Time Markov Chains or Stochas-tic Petri Nets based methods. The probabilistic modelthat we provide for Spare gates does not depend on thefailure distribution considered for basic events, andthus allows to consider such a case. The Weibull dis-tribution has the expression

F (t) = 1− e−( t−γη )β

λ(t) = β(t−γ)β−1

ηβ

so that1− e−

∫ t0 λ(u)du

Let us consider that the failure of basic events ismodeled by a Weibull distribution with a failure rateλ(t) = 5× 10−3− 10−6t, which means that the pumpshave an ”infant mortality” and will fail at a constantfailure rate λ= 2.5× 10−3 after 2,500 hours. We thusobtain a failure probability of 0.98 at mission timeT = 1,000 hours for both Spare gates.

6 CONCLUSIONIn this paper, we have presented an algebraic modelof Spare gates. This model can be determined forany number of Spare gates with any number of inputevents, whether they are sharing spare events or not,and for any type of Spare gate. This algebraic modelallowed us to deduce a probabilistic model of Sparegates which does not depend on the failure distribu-tion considered for basic events.

Ongoing work is currently addressed to the elab-oration of efficient algorithms allowing to automati-cally perform the calculation of the structure functionof DFTs and their analysis.

7

REFERENCESAmari, S., G. Dill, and E. Howals (2003). A new

approach to solve dynamic fault-trees. In Pro-ceedings IEEE Annual Reliability and Main-tainability Symposium, pp. 374–379.

Billingsley, P. (1995). Probability and measure.New York, USA: John Wiley & Sons.

Bobbio, A. and D. C. Raiteri (2004). ParametricFault Trees with Dynamic Gates and RepairBoxes. In Proceedings of the Annual Relia-bility and Maintainability Symposium (RAMS),Los Angeles, CA, USA, pp. 459–465.

Boudali, H., P. Crouzen, and M. Stoelinga (2007).A compositional semantics for dynamic faulttrees in terms of interactive markov chains. InProceedings of the 5th International Sympo-sium on Automated Technology for Verificationand Analysis (ATVA 2007), Tokyo, Japan, pp.441–456.

Boudali, H. and J. B. Dugan (2005). A discrete-time Bayesian network reliability modelingand analysis framework. Reliability Engineer-ing & System Safety 87, 337–349.

Coppit, D. and K. J. Sullivan (2002). DesigningModeling Languages: A Case Study in Dy-namic Fault Trees. IEEE Transactions on De-pendable and Secure Computing.

Dugan, J., S. Bavuso, and M. Boyd (1990). FaultTrees and Sequence Dependencies. In Pro-ceedings of the Annual Reliability and Main-tainability Symposium (RAMS 1990), pp. 286–293.

Dugan, J., K. Sullivan, and D. Coppit (2000). De-veloping a low-cost high-quality software toolfor dynamic fault-tree analysis. IEEE Transac-tions on Reliability 49(1), 49–59.

Dugan, J. B., S. Bavuso, and M. Boyd (1992). Dy-namic fault-tree models for fault-tolerant com-puter systems. IEEE Transactions on Reliabil-ity 41, 363–377.

Dutuit, Y. and A. Rauzy (1996). A Linear-Time Al-gorithm to Find Modules of Fault Trees. IEEETransactions on Reliability 45(3), 422–425.

Fussel, J., E. Aber, and R. Rahl (1976). Onthe quantitative analysis of priority-and fail-ure logic. IEEE Transactions on Reliability R-25(5), 324–326.

Gulati, R. and J. Dugan (1997). A modular ap-proach for analyzing static and dynamic faulttrees. In Proceedings of the Annual Reliabilityand Maintainability Symposium, Philadelphia,PA, USA, pp. 57–63.

Henley, E. and H. Kumamoto (1981). ReliabilityEngineering and Risk Assessment. EnglewoodCliffs: Prentice Hall.

Leveson, N. (1995). Safeware: System Safety andComputers. Addison-Wesley.

Merle, G. and J.-M. Roussel (2007). Algebraicmodelling of Fault Trees with Priority ANDgates. In Proceedings of the 1st IFAC Work-shop on Dependable Control of Discrete Sys-tems (DCDS’07), Paris, France, pp. 175–180.

Merle, G., J.-M. Roussel, J.-J. Lesage, and A. Bob-bio (2009). Algebraic Expression of the Struc-ture Function of a subclass of Dynamic FaultTrees. In Proceedings of the 2nd IFAC Work-shop on Dependable Control of Discrete Sys-tems (DCDS’09), Bari, Italy, pp. 129–134.

Merle, G., J.-M. Roussel, J.-J. Lesage, and A. Bob-bio (2010). Probabilistic Algebraic Analysis ofFault Trees with Priority Dynamic Gates andRepeated Events. IEEE Transactions on Relia-bility 59(1), 250–261.

Raiteri, D. C. (2005). The Conversion of DynamicFault Trees to Stochastic Petri Nets, as a caseof Graph Transformation. Electronic Notes inTheoretical Computer Science 127(2), 45–60.

Stamatelatos, M. and W. Vesely (2002). Fault treehandbook with aerospace applications. Volume1.1, pp. 1–205. NASA Office of Safety andMission Assurance.

Tang, Z. and J. Dugan (2004). Minimal cutset/sequence generation for dynamic faulttrees. In Proceedings of the Annual Reliabilityand Maintainability Symposium, Los Angeles,CA, USA, pp. 207–213.

Trivedi, K. (2001). Probability & Statistics withReliability, Queueing & Computer Science Ap-plications (2 ed.). Wiley.

8